Setting ['login_rate_limit'] to prevent brute force login attacks in Roundcube

d19dotca

I realized recently that there's a setting in Roundcube that can help prevent brute force login attacks.

I went to see if this was set in the Roundcube package to figure if it was adequate or if I should add it into the customization file.

I didn't find anything in the Cloudron Roundcube App config template which contains $config['login_rate_limit'] = 3; (which is the default in Roundcube apparently, according to their repo on GitHub).

So I am just wondering two things...

1. Is this setting actually enabled in the Roundcube package and I just missed it?

2. Is the brute-force attack limited by other Cloudron security settings perhaps which means it's not necessary in the app itself?

3. If it's not set, should it be perhaps considered in the app package?

I'll set it manually in the custom config file if needed, but wanted to check on this first with just what I found from some quick research.

murgero

@d19dotca I don't use this in my roundcube but wouldn't setting a rate limit in LDAP (obviously only apps that support LDAP login would work here) be a better option?

d19dotca

@murgero I agree, however it doesn’t seem that Cloudron’s built-in rate limiting helps cover this use-case.

Am I maybe missing a configuration that covers that?

murgero

@d19dotca The bit that says "Cloudron Password Verification Routes" I believe covers LDAP logins @girish is this a valid statement?

d19dotca

@murgero Ah okay. If true, that seems way too low of a rate limit to really be effective at all. Because that’d mean that one user could try to login 10 times per second? I’d think it should be at least 10 times per minute especially since it’s per IP. If almost prefer it to be more like 5 a minute tops, personally.

imc67

@d19dotca said in Setting ['login_rate_limit'] to prevent brute force login attacks in Roundcube:

If almost prefer it to be more like 5 a minute tops, personally

That’s why I suggested in this post https://forum.cloudron.io/topic/4723/what-s-coming-in-cloudron-6-3/4 to make all the rate limiting configurable

d19dotca

@imc67 Ah okay, that’s actually what got me looking into Roundcube in particular and led me down this path. Haha. I agree, the rate limiting needs to be customizable. I just thought maybe I can do it at the app level (which seems like I can for Roundcube at least but not sure if this is overwritten by the system settings). Maybe I’ll just wait until it’s baked into Cloudron to configure properly down the road.

girish

Some part of this like rate limits and notifications of hitting rate limits (for API, LDAP etc) are part of our focus in 6.3. We want to review all our current security settings before going multi-host.